1 / 28

Nuclear Power Plant Bright-Line NERC: Tim Roxey and Jim Hughes NRC: Perry Pederson and Ralph Costell

taniel
Download Presentation

Nuclear Power Plant Bright-Line NERC: Tim Roxey and Jim Hughes NRC: Perry Pederson and Ralph Costell

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Nuclear Power Plant “Bright-Line” NERC: Tim Roxey and Jim Hughes NRC: Perry Pederson and Ralph Costello Charlotte, NC April 22, 2010 Phoenix, AZ April 26, 2010 Philadelphia, PA May 4, 2010 Chicago, IL May 6, 2010

    2. 2 Workshop Topics Stress that the Bright-Line is a FERC Directive to complete.Stress that the Bright-Line is a FERC Directive to complete.

    3. 3 “Bright-Line” Requirement Talk to how the NRC and NERC worked together to develop the “generic” list. To ensure its accuracy, meet 706B, and FERC Order to implement the process.Talk to how the NRC and NERC worked together to develop the “generic” list. To ensure its accuracy, meet 706B, and FERC Order to implement the process.

    4. Cyber Security at NRC NRC/NERC Bright-Line Workshop

    5. Overview 10 CFR 73.54 Regulatory Guide 5.71 Fear, Uncertainty, and Doubt Federal Energy Regulatory Commission North American Electric Reliability Corporation Code of Federal RegulationsFear, Uncertainty, and Doubt Federal Energy Regulatory Commission North American Electric Reliability Corporation Code of Federal Regulations

    6. 10 CFR 73.54 High-level, Performance-Based, Programmatic FOCUS: Prevention of Radiological Sabotage Generic (i.e., not reactor-specific) Consistent with physical security regulatory approach Basic Requirements Systems that must be protected Defense-in-Depth protective strategy Application of security controls Implementation details maintained on site Submit Cyber Security Plans to NRC for approval Cyber Security Plans Site-specific processes and criteria

    7. RG 5.71 Overview Components Main Body Appendix A (generic cyber security plan template) Appendix B (technical security controls) Appendix C (operational/management security controls) Performance-Based, Programmatic Consistent with NIST recommendations Flexible and minimally prescriptive with burden on licensees to establish effective programs Alignment with Digital I&C Interim Staff Guidance ISG-1 ISG-4 RG 1.152 Instrumentation and Control (I&C) Interim Staff Guidance (ISG)Instrumentation and Control (I&C) Interim Staff Guidance (ISG)

    8. RG 5.71 Guideline

    9. Bright-Line Process NERC: Tim Roxey

    10. Cyber Controls – NPP a Total View 2 INTRODUCTION: The NRC has presented the left side of this model, NERC jurisdictional regulatory basis is founded in the right side of this model… Stress that these are two different focus areas with different project schedules that are separated by the Bright-Line, NO Dual regulation. NOTE: It should be noted that there will be some SSCs that will not be impacted by either NRC or NERC requirements. On the CIP-002-009 state how the remaining SSCs that manage CEII or may impact reliable delivery of electricity to the BPS “MAY” be in scope. INTRODUCTION: The NRC has presented the left side of this model, NERC jurisdictional regulatory basis is founded in the right side of this model… Stress that these are two different focus areas with different project schedules that are separated by the Bright-Line, NO Dual regulation. NOTE: It should be noted that there will be some SSCs that will not be impacted by either NRC or NERC requirements. On the CIP-002-009 state how the remaining SSCs that manage CEII or may impact reliable delivery of electricity to the BPS “MAY” be in scope.

    11. 3 Bright-Line History January 18, 2008: FERC issued Order No. 706 imposing CIP-002 through CIP-009 Reliability Standards on Bulk Power System (BPS) users, owners, and operators. Each of these CIP-002 through CIP-009 standards exempted facilities regulated by the NRC. March 19, 2009: FERC issued Order No. 706-B, noting that the NRC’s proposed regulations on cyber security would not apply to all systems, structures, and components (SSCs) within an NPP and therefore these remaining balance of plant (BOP) SSCs are subject to compliance with NERC CIP Reliability Standards. FERC noted there will be no “dual regulation.” Most are R+18 months and S+10. CIP-002 R1 & 2 are R+12. CIP-005-008 have RO+6 months for outage considerations. It is important to mention that this implementation plan was thoroughly vetted by the NPP industry for comments.January 18, 2008: FERC issued Order No. 706 imposing CIP-002 through CIP-009 Reliability Standards on Bulk Power System (BPS) users, owners, and operators. Each of these CIP-002 through CIP-009 standards exempted facilities regulated by the NRC. March 19, 2009: FERC issued Order No. 706-B, noting that the NRC’s proposed regulations on cyber security would not apply to all systems, structures, and components (SSCs) within an NPP and therefore these remaining balance of plant (BOP) SSCs are subject to compliance with NERC CIP Reliability Standards. FERC noted there will be no “dual regulation.” Most are R+18 months and S+10. CIP-002 R1 & 2 are R+12. CIP-005-008 have RO+6 months for outage considerations. It is important to mention that this implementation plan was thoroughly vetted by the NPP industry for comments.

    12. Bright-Line History (Cont’d) December 17, 2009: FERC Order directing NERC to present a process on how SSCs are exempted from NERC Reliability Standards by January 19, 2010 (Bright-Line) December 30, 2009: Historic MOU executed between the NRC and NERC identifying their roles and responsibilities January 19, 2010: NERC filing to FERC the details on the exemption process for NPP Coordinated with the NRC to determine those SSCs subject to NERC jurisdiction and those SSCs subject to NRC jurisdiction – Generic List March 18, 2010: FERC Order approving NERC’s Bright-Line & Implementation plan (R = March 18, 2010) 4 December 17, 2009: FERC issued its Order Addressing Compliance Filing and Requiring Further Compliance Filing, in part, which directed NERC to present its exemption process (i.e., the “Bright-Line Determination” or the process for determining which SSCs are subject to NRC jurisdiction, and which are subject to compliance with NERC Reliability Standards) by January 19, 2010. December 30, 2009, MOU executed between the NRC and NERC to set forth and coordinate the roles and responsibilities of the NRC and NERC as they relate to their respective cyber security requirements January 19, 2010: NERC made a compliance filing to FERC explaining the exemption process it will undertake in coordination with the NRC to determine those SSCs subject to NERC jurisdiction and those SSCs subject to NRC jurisdiction. Talk to how the NRC and NERC worked together to develop the “generic” list. NERC/NRC recognizes that there are differences from NPP to NPP. To ensure its accuracy, meet 706B, and implement the process as stated in the compliance filing, the survey was deemed the most efficient means for accuracy “Certified Bright-Line” December 17, 2009: FERC issued its Order Addressing Compliance Filing and Requiring Further Compliance Filing, in part, which directed NERC to present its exemption process (i.e., the “Bright-Line Determination” or the process for determining which SSCs are subject to NRC jurisdiction, and which are subject to compliance with NERC Reliability Standards) by January 19, 2010. December 30, 2009, MOU executed between the NRC and NERC to set forth and coordinate the roles and responsibilities of the NRC and NERC as they relate to their respective cyber security requirements January 19, 2010: NERC made a compliance filing to FERC explaining the exemption process it will undertake in coordination with the NRC to determine those SSCs subject to NERC jurisdiction and those SSCs subject to NRC jurisdiction. Talk to how the NRC and NERC worked together to develop the “generic” list. NERC/NRC recognizes that there are differences from NPP to NPP. To ensure its accuracy, meet 706B, and implement the process as stated in the compliance filing, the survey was deemed the most efficient means for accuracy “Certified Bright-Line”

    13. 5 Confidential Information ? Confidential business and market information ? Critical energy infrastructure information ? Personnel information that identifies or could be used to identify a specific individual, or reveals personnel, financial, medical, or other personal information ? Work papers, including any records produced for or created in the course of an evaluation or audit ? Investigative files, including any records produced for or created in the course of an investigation ? Cybersecurity incident information; provided, that public information developed or acquired by an entity shall be excluded from this definition Tim Roxey & Jim Hughes are NERC’s “Reviewing Officials” for SGI…This is per the NERC/NRC MOU Appendix.? Confidential business and market information ? Critical energy infrastructure information ? Personnel information that identifies or could be used to identify a specific individual, or reveals personnel, financial, medical, or other personal information ? Work papers, including any records produced for or created in the course of an evaluation or audit ? Investigative files, including any records produced for or created in the course of an investigation ? Cybersecurity incident information; provided, that public information developed or acquired by an entity shall be excluded from this definition Tim Roxey & Jim Hughes are NERC’s “Reviewing Officials” for SGI…This is per the NERC/NRC MOU Appendix.

    14. 6 Collection of Information NERC’s Authority to Collect Bright-Line Information from NPPs Section 215 of the Federal Power Act (16 U.S.C. §824o): Under Section 215, Congress entrusted FERC with the duties of approving and enforcing rules to ensure the reliability of the Nation’s bulk power system, and with the duties of certifying an Electric Reliability Organization (“ERO”) that would be charged with developing and enforcing mandatory Reliability Standards, subject to FERC approval. NERC was certified as the ERO on July 20, 2006. Title 18 C.F.R §39.2(d) (FERC’s Regulations): (d) Each user, owner or operator of the Bulk-Power System within the United States (other than Alaska and Hawaii) shall provide the [Federal Energy Regulatory] Commission, the Electric Reliability Organization and the applicable Regional Entity such information as is necessary to implement section 215 of the Federal Power Act as determined by the [Federal Energy Regulatory] Commission and set out in the Rules of the Electric Reliability Organization and each applicable Regional Entity. The Electric Reliability Organization and each Regional Entity shall provide the [Federal Energy Regulatory] Commission such information as is necessary to implement section 215 of the Federal Power Act. NERC Rule of Procedure 403, Section 10.1: Information Submittal - Each Regional Entity has the authority to collect the necessary information to determine compliance and shall develop processes for gathering data from the bulk power system owners, operators, and users they monitor. NERC’s Authority to Collect Bright-Line Information from NPPs Section 215 of the Federal Power Act (16 U.S.C. §824o): Under Section 215, Congress entrusted FERC with the duties of approving and enforcing rules to ensure the reliability of the Nation’s bulk power system, and with the duties of certifying an Electric Reliability Organization (“ERO”) that would be charged with developing and enforcing mandatory Reliability Standards, subject to FERC approval. NERC was certified as the ERO on July 20, 2006. Title 18 C.F.R §39.2(d) (FERC’s Regulations): (d) Each user, owner or operator of the Bulk-Power System within the United States (other than Alaska and Hawaii) shall provide the [Federal Energy Regulatory] Commission, the Electric Reliability Organization and the applicable Regional Entity such information as is necessary to implement section 215 of the Federal Power Act as determined by the [Federal Energy Regulatory] Commission and set out in the Rules of the Electric Reliability Organization and each applicable Regional Entity. The Electric Reliability Organization and each Regional Entity shall provide the [Federal Energy Regulatory] Commission such information as is necessary to implement section 215 of the Federal Power Act. NERC Rule of Procedure 403, Section 10.1: Information Submittal - Each Regional Entity has the authority to collect the necessary information to determine compliance and shall develop processes for gathering data from the bulk power system owners, operators, and users they monitor.

    15. 1 North American Energy Reliability Corporation and Nuclear Regulatory Commission Memorandum of Understanding Ralph Costello Team Leader Office of Nuclear Security and Incident Response Nuclear Regulatory Commission

    16. 2 NRC - NERC MOU Cooperation –NERC’s disposition of exceptions Brightline process

    17. 3 NRC - NERC MOU Cont. Share information relative to digital assets governed by the other party’s cyber security requirements Coordinate to maximum extent on the process for conducting inspections

    18. 4 NRC - NERC MOU Cont. Sharing of all information necessary to carry out the intent of the MOU Coordinate on all public announcements of enforcement actions relative to cyber security requirements and coordinate the resolution of issues involving enforcement actions

    19. 5 Memorandum of Understanding http://www.nrc.gov/reading-rm/doc-collections/news/2010/10-005.html http://edocket.access.gpo.gov/2010/2010-229.htm NRC - NERC MOU Cont.

    20. Nuclear Power Plant “Bright-Line" Survey Jim Hughes

    21. 2 Workshop Objectives

    22. 3 Bright-Line Documentation Speak to the web site. It is possible to hit the link to go to the web site and briefly discuss what is found there. Speak to the web site. It is possible to hit the link to go to the web site and briefly discuss what is found there.

    23. 4 Bright-Line Survey Overview Take the time to ensure that everyone has the survey in front of them, then speak to the survey.Take the time to ensure that everyone has the survey in front of them, then speak to the survey.

    24. 5 Bright-Line Survey IF the question is asked regarding criteria, RoP 1500 provides the definition of CEII.IF the question is asked regarding criteria, RoP 1500 provides the definition of CEII.

    25. 6 Bright-Line Survey CEII IAW RoP 1501.3…Critical energy infrastructure information means specific engineering, vulnerability, or detailed design information about proposed or existing critical infrastructure that (i) relates details about the production, generation, transportation, transmission, or distribution of energy; (ii) could be useful to a person in planning an attack on critical infrastructure; and (iii) does not simply give the location of the critical infrastructure.CEII IAW RoP 1501.3…Critical energy infrastructure information means specific engineering, vulnerability, or detailed design information about proposed or existing critical infrastructure that (i) relates details about the production, generation, transportation, transmission, or distribution of energy; (ii) could be useful to a person in planning an attack on critical infrastructure; and (iii) does not simply give the location of the critical infrastructure.

    26. 7 Next Steps Special Registration – NUC-001-2 “Nuclear Plant GOP”Special Registration – NUC-001-2 “Nuclear Plant GOP”

    27. 8 Important Takeaways Stress the need to have accurate POC information and ensure the surveys get to the NPP(s) if there is only a corp. Compliance Contact.Stress the need to have accurate POC information and ensure the surveys get to the NPP(s) if there is only a corp. Compliance Contact.

    28. 9 NERC Contact Data

More Related